#!/bin/bash
# By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3
#
#    Copyright (C) 2009 - 2010  Brielle Bruns
#    Copyright (C) 2009 - 2010  The Summit Open Source Development Group
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
#
# This file defines static variables that we will be using.  Normally, you
# should not be needing to edit these.  You can override them in your options
# file easily, thus avoiding problems with overwriting settings during upgrades.

# You should always make sure this file is from the most recent firewall package,
# as missing variables here could foul up the firewall's ability to setup rules
# correctly.

# These defines are here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file.  I leave this on by default,
# but if you want to make sure you have a current options file, define this to 0.

if [[ "$COMPAT_CONFIG" == "1" ]]; then
	MODPROBE=`which modprobe`
	PRERUN="$BASEDIR/prerun"
	POSTRUN="$BASEDIR/postrun"
fi


# ANSI color sequences
BLUE="\E[34m"
GREEN="\E[32m"
RED="\E[31m"
YELLOW="\E[33m"
PURPLE="\E[35m"
AQUA="\E[36m"
WHITE="\E[1m"
GREY="\E[37m"
DEFAULT_COLOR="\E[39m"

# Module names that we may need to load
MOD_U32="xt_u32"

# Location of the ipv4 network conf in proc
PROC_NET_IPV4="/proc/sys/net/ipv4/conf"

# Multiport options - override in options
NF_MULTIPORT="xt_multiport"
NF_MULTIPORT_MAX_PORTS="7"

# RFC 1918 Space
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"

# By default, use conntrack instead of state
STATE_TYPE="conntrack"

# Auto detect multiport
IPTABLES_MULTIPORT=auto

# Where we store output of cached rules
RULE_CACHE=$BASEDIR/cache/ipt-rules
RULE_CACHE_V6=$BASEDIR/cache/ipt6-rules

EXTIP="auto"
EXTIF="eth0"
EXTIF_FIND="$BASEDIR/bin/get_default_if"
EXTIP_FIND="$BASEDIR/bin/get_default_ip"

# By default, we allow ipv6 critical icmp
IPV6_ICMP_CRITICAL=1

# IPv4 and IPv6 regex matches to determine if entry is valid.  These may need
# to be tweaked over time.  At the moment, we use by default the pattern here:
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"

# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
# If anyone wants to write these, feel free to!
IPV4_NETMASK_MATCH=""
IPV6_NETMASK_MATCH=""

# Default policies for IPv4 and IPv6.  Make these ACCEPT by default, except for FORWARD,
# since one wrong configuration can lock someone out.
IPV4_PINPUT=ACCEPT
IPV4_POUTPUT=ACCEPT
IPV4_PFORWARD=DROP
IPV6_PINPUT=ACCEPT
IPV6_POUTPUT=ACCEPT
IPV6_PFORWARD=DROP